1 --- kernel-grsec_full.patch.org 2011-08-24 09:32:29.113836788 +0200
2 +++ kernel-grsec_full.patch 2011-08-24 10:43:17.023101342 +0200
3 @@ -11175,9 +11175,9 @@
4 @@ -186,7 +186,7 @@ void dump_stack(void)
6 bp = stack_frame(current, NULL);
7 - printk("Pid: %d, comm: %.20s %s %s %.*s\n",
8 -- current->pid, current->comm, print_tainted(),
9 -+ task_pid_nr(current), current->comm, print_tainted(),
10 + printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11 +- current->pid, current->comm, current->xid, print_tainted(),
12 ++ task_pid_nr(current), current->comm, current->xid, print_tainted(),
13 init_utsname()->release,
14 (int)strcspn(init_utsname()->version, " "),
15 init_utsname()->version);
16 @@ -14211,9 +14211,9 @@
17 @@ -106,7 +123,7 @@ void show_regs_common(void)
19 printk(KERN_CONT "\n");
20 - printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
21 -- current->pid, current->comm, print_tainted(),
22 -+ task_pid_nr(current), current->comm, print_tainted(),
23 + printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
24 +- current->pid, current->xid, current->comm, print_tainted(),
25 ++ task_pid_nr(current), current->xid, current->comm, print_tainted(),
26 init_utsname()->release,
27 (int)strcspn(init_utsname()->version, " "),
28 init_utsname()->version);
29 @@ -37570,9 +37570,9 @@
30 #include <linux/slab.h>
31 #include <linux/fs_struct.h>
32 +#include <linux/grsecurity.h>
33 + #include <linux/vserver/global.h>
36 - static inline void path_get_longterm(struct path *path)
37 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
40 @@ -39661,9 +39661,9 @@
42 #ifdef CONFIG_SCHEDSTATS
43 @@ -2857,6 +2972,9 @@ static const struct pid_entry tgid_base_
44 - #ifdef CONFIG_HARDWALL
45 INF("hardwall", S_IRUGO, proc_pid_hardwall),
47 + ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
48 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
51 @@ -39733,11 +39733,11 @@
54 filp->f_pos = iter.tgid + TGID_OFFSET;
55 + if (!vx_proc_task_visible(iter.task))
57 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
58 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
59 put_task_struct(iter.task);
62 @@ -3141,7 +3294,7 @@ static const struct pid_entry tid_base_s
63 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
65 @@ -39815,9 +39815,9 @@
66 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
67 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
69 - extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
70 + extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
71 + struct pid *pid, struct task_struct *task);
73 - extern const struct file_operations proc_maps_operations;
74 diff -urNp linux-3.0.3/fs/proc/Kconfig linux-3.0.3/fs/proc/Kconfig
75 --- linux-3.0.3/fs/proc/Kconfig 2011-07-21 22:17:23.000000000 -0400
76 +++ linux-3.0.3/fs/proc/Kconfig 2011-08-23 21:48:14.000000000 -0400
77 @@ -53625,10 +53625,10 @@
78 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
79 mode_t mode, struct proc_dir_entry *base,
80 read_proc_t *read_proc, void * data)
81 -@@ -258,7 +271,7 @@ union proc_op {
82 - int (*proc_show)(struct seq_file *m,
83 - struct pid_namespace *ns, struct pid *pid,
84 - struct task_struct *task);
85 +@@ -278,7 +278,7 @@ union proc_op {
86 + int (*proc_vs_read)(char *page);
87 + int (*proc_vxi_read)(struct vx_info *vxi, char *page);
88 + int (*proc_nxi_read)(struct nx_info *nxi, char *page);
92 @@ -55990,15 +55990,15 @@
93 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
96 -@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
97 - const struct cred *old;
98 +@@ -268,6 +268,8 @@ struct cred *__prepare_creds(const struc
104 - validate_process_creds();
106 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
109 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
110 struct thread_group_cred *tgcred = NULL;
112 @@ -56607,13 +56607,15 @@
116 -@@ -1104,10 +1142,13 @@ static struct task_struct *copy_process(
117 - DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
121 +@@ -1156,13 +1156,15 @@ static struct task_struct *copy_process(
122 + init_vx_info(&p->vx_info, current_vx_info());
123 + init_nx_info(&p->nx_info, current_nx_info());
125 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
128 + if (!vx_nproc_avail(1))
129 + goto bad_fork_free;
130 if (atomic_read(&p->real_cred->user->processes) >=
131 task_rlimit(p, RLIMIT_NPROC)) {
132 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
133 @@ -58032,8 +58034,8 @@
134 + struct task_struct *task;
136 rcu_lockdep_assert(rcu_read_lock_held());
137 -- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
138 -+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
139 +- return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
140 ++ task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
142 + if (gr_pid_is_chrooted(task))
144 @@ -58249,7 +58251,7 @@
145 diff -urNp linux-3.0.3/kernel/printk.c linux-3.0.3/kernel/printk.c
146 --- linux-3.0.3/kernel/printk.c 2011-07-21 22:17:23.000000000 -0400
147 +++ linux-3.0.3/kernel/printk.c 2011-08-23 21:48:14.000000000 -0400
148 -@@ -313,12 +313,17 @@ static int check_syslog_permissions(int
149 +@@ -314,12 +314,17 @@ static int check_syslog_permissions(int
150 if (from_file && type != SYSLOG_ACTION_OPEN)
153 @@ -58259,7 +58261,7 @@
156 if (syslog_action_restricted(type)) {
157 - if (capable(CAP_SYSLOG))
158 + if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
160 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
161 if (capable(CAP_SYS_ADMIN)) {
162 @@ -58918,7 +58920,7 @@
163 - if (increment < 0 && !can_nice(current, nice))
164 + if (increment < 0 && (!can_nice(current, nice) ||
165 + gr_handle_chroot_nice()))
167 + return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
169 retval = security_task_setnice(current, nice);
170 @@ -5111,6 +5116,7 @@ recheck:
171 @@ -58987,10 +58989,11 @@
172 if (is_global_init(tsk))
174 if (handler != SIG_IGN && handler != SIG_DFL)
175 -@@ -770,6 +773,13 @@ static int check_kill_permission(int sig
177 +@@ -797,6 +797,14 @@
178 + sig, info, t, vx_task_xid(t), t->pid, current->xid);
183 + /* allow glibc communication via tgkill to other threads in our
185 + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
186 @@ -58998,9 +59001,9 @@
187 + && gr_handle_signal(t, sig))
191 return security_task_kill(t, info, sig, 0);
194 @@ -1092,7 +1102,7 @@ __group_send_sig_info(int sig, struct si
195 return send_signal(sig, info, p, 1);
197 @@ -65122,6 +65125,7 @@
199 #include <net/inet_connection_sock.h>
200 #include <net/inet_hashtables.h>
201 + #include <net/route.h>
202 #include <net/secure_seq.h>
205 @@ -65129,7 +65133,6 @@
208 * Allocate and initialize a new local port bind bucket.
209 - * The bindhash mutex for snum's hash chain must be held here.
210 @@ -530,6 +533,8 @@ ok:
211 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
212 spin_unlock(&head->lock);
213 @@ -65875,9 +65878,9 @@
214 +extern int grsec_enable_blackhole;
217 - int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
218 + int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
220 - const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
221 + const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
222 @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk